diff --git a/README.md b/README.md
index 8671462..59289eb 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,7 @@ The following options are used:
 - `OCP_BACKUP_S3`: Use S3 to store etcd-backup snapshots
 - `OCP_BACKUP_S3_NAME`: MinIO client host alias name
 - `OCP_BACKUP_S3_HOST`: S3 host endpoint (with scheme)
+- `OCP_BACKUP_S3_CA`: S3 host CA (if needed)
 - `OCP_BACKUP_S3_BUCKET`: S3 bucket name
 - `OCP_BACKUP_S3_ACCESS_KEY`: access key to access S3 bucket
 - `OCP_BACKUP_S3_SECRET_KEY`: secret key to access S3 bucket
diff --git a/backup-config.yaml b/backup-config.yaml
index 59edffe..bdba32d 100644
--- a/backup-config.yaml
+++ b/backup-config.yaml
@@ -6,6 +6,10 @@ data:
   OCP_BACKUP_S3: "false"
   OCP_BACKUP_S3_NAME: "minio"
   OCP_BACKUP_S3_HOST: "http://minio.local:9000"
+  OCP_BACKUP_S3_CA: |
+        -----BEGIN CERTIFICATE-----
+        ...
+        -----END CERTIFICATE-----
   OCP_BACKUP_S3_BUCKET: "etcd-backup"
   OCP_BACKUP_S3_ACCESS_KEY: "randomaccesskey"
   OCP_BACKUP_S3_SECRET_KEY: "secretkey"
diff --git a/backup-cronjob.yaml b/backup-cronjob.yaml
index 2ff2783..c82133c 100644
--- a/backup-cronjob.yaml
+++ b/backup-cronjob.yaml
@@ -53,3 +53,9 @@ spec:
           - name: volume-backup
             persistentVolumeClaim:
               claimName: etcd-backup-pvc
+          - name: custom-ca
+            configMap:
+              name: backup-config
+              items:
+              - key: OCP_BACKUP_S3_CA
+                path: /etc/pki/ca-trust/source/anchors/ca.crt